diff options
author | Fup Duck <fupduck@sacknagel.com> | 2018-02-11 13:25:24 +0100 |
---|---|---|
committer | Fup Duck <fupduck@sacknagel.com> | 2018-02-11 13:28:43 +0100 |
commit | ca82cdf77ee4d30b820a1f936315c6c5be78359d (patch) | |
tree | 90f031e4b2603a8254d178317942e808adba6099 /app/src/main/java/se/leap/bitmaskclient/Provider.java | |
parent | df4bf064a8c9310ed887d80bf6cd6328d1363f49 (diff) |
8827 - discussion
* validate urls before changing anything in Provider.define()
* save private key and vpn cert after login/signup
Diffstat (limited to 'app/src/main/java/se/leap/bitmaskclient/Provider.java')
-rw-r--r-- | app/src/main/java/se/leap/bitmaskclient/Provider.java | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/app/src/main/java/se/leap/bitmaskclient/Provider.java b/app/src/main/java/se/leap/bitmaskclient/Provider.java index 4d608222..e53dd4fb 100644 --- a/app/src/main/java/se/leap/bitmaskclient/Provider.java +++ b/app/src/main/java/se/leap/bitmaskclient/Provider.java @@ -141,9 +141,27 @@ public final class Provider implements Parcelable { } } - public void define(JSONObject providerJson) { - definition = providerJson; - parseDefinition(definition); + public boolean define(JSONObject providerJson) { + /* + * fix against "api_uri": "https://calyx.net.malicious.url.net:4430", + * This method aims to prevent attacks where the provider.json file got manipulated by a third party. + * The main url should not change. + */ + + try { + String providerApiUrl = providerJson.getString(Provider.API_URL); + String providerDomain = providerJson.getString(Provider.DOMAIN); + if (getMainUrlString().contains(providerDomain) && providerApiUrl.contains(providerDomain + ":")) { + definition = providerJson; + parseDefinition(definition); + return true; + } else { + return false; + } + } catch (JSONException e) { + e.printStackTrace(); + return false; + } } protected JSONObject getDefinition() { |